b'               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     EPA\xe2\x80\x99s Information Systems\n                     and Data Are at Risk Due to\n                     Insufficient Training of\n                     Personnel With Significant\n                     Information Security\n                     Responsibilities\n                     Report No. 14-P-0142                    March 21, 2014\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cAbbreviations\n\nCIO                      Chief Information Officer\nEPA                      U.S. Environmental Protection Agency\nFISMA                    Federal Information Security Management Act\nGAO                      Government Accountability Office\nIMO                      Information Management Officer\nIPA                      Independent Public Accounting\nISO                      Information Security Officer\nISSO                     Information System Security Officer\nIT                       Information Technology\nNIST                     National Institute of Standards and Technology\nOEI                      Office of Environmental Information\nOIG                      Office of Inspector General\nOPM                      Office of Personnel Management\nSAISO                    Senior Agency Information Security Officer\nSIO                      Senior Information Officer\nSP                       Special Publication\n\n\n\nHotline                                         Suggestions for Audits or Evaluations\nTo report fraud, waste or abuse, contact        To make suggestions for audits or evaluations,\nus through one of the following methods:        contact us through one of the following methods:\n\nemail:    OIG_Hotline@epa.gov                   email:    OIG_WEBCOMMENTS@epa.gov\nphone:    1-888-546-8740                        phone:    1-202-566-2391\nfax:      1-202-566-2599                        fax:      1-202-566-2599\nonline:   http://www.epa.gov/oig/hotline.htm    online:   http://www.epa.gov/oig/contact.html#Full_Info\n\nwrite:    EPA Inspector General Hotline         write:    EPA Inspector General Hotline\n          1200 Pennsylvania Avenue, NW                    1200 Pennsylvania Avenue, NW\n          Mailcode 2431T                                  Mailcode 2431T\n          Washington, DC 20460                            Washington, DC 20460\n\x0c                                                                                                            14-P-0142\n                        U.S. Environmental Protection Agency                                            March 21, 2014\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review\n                                    EPA\xe2\x80\x99s Information Systems and Data Are at Risk Due\nThe U.S. Environmental              to Insufficient Training of Personnel With Significant\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)         Information Security Responsibilities\nOffice of Inspector General\n(OIG) contracted with KPMG\nLLP, an independent public           What the IPA Auditor Found\naccounting (IPA) firm, to\n                                    The EPA lacks an information security \t           The EPA places its information \n\nconduct an audit of the\n                                    role-based training program that defines          systems and data at risk due to\n\nqualifications and current skills                                                     an organizational structure that\nof EPA personnel with               specific training requirements for personnel\n                                                                                      has not specified required duties\nsignificant information security    with significant information security\n                                                                                      and responsibilities to ensure\nresponsibilities, to determine      responsibilities. Implementation of the           personnel are trained on key\ntheir training needs and            EPA\xe2\x80\x99s information security training program       information security roles.\nevaluate consistency with the       is hindered by inconsistent assignment of\nE-Government Act of 2002.           information security roles across the various EPA offices. The current training\n                                    program does not consider specific needs of technical and managerial personnel\nThe E-Government Act                responsibilities for implementing information security as required by the federal\nrequires federal agency             guidance. Management has not completed efforts to tailor the existing training\ninformation technology (IT)         programs to align it with the EPA\xe2\x80\x99s organizational structure. The EPA\xe2\x80\x99s\nsecurity personnel to maintain      decentralized structure creates differing levels of information security\nsufficient training and             implementation and oversight of training requirements. As a result, training may\nknowledge to conduct their          be insufficient to assure management that personnel with significant information\nduties.                             security duties have the skills and understanding necessary to identify, prevent or\n                                    mitigate vulnerabilities affecting the EPA\xe2\x80\x99s information systems and\nThis report addresses the           infrastructure.\nfollowing EPA theme:\n                                    The IPA is responsible for the content of the audit report. The OIG performed the\n \xef\x82\xb7 Strengthening EPA\xe2\x80\x99s              procedures necessary to obtain reasonable assurance about the IPA\xe2\x80\x99s\n   workforce and capabilities.      independence, qualifications, technical approach and audit results. Having done\n                                    so, the OIG accepts the IPA\xe2\x80\x99s conclusions and recommendations.\n\n                                     Recommendations and Agency Corrective Actions\n\n                                    The IPA\xe2\x80\x99s report recommends that the Assistant Administrator for Environmental\n                                    Information: (1) define key information security aspects and duties for each\n                                    security role; (2) provide additional training options specific to the federal\n                                    information security environment and EPA information security roles; (3)\n                                    standardize the terminology and definition of responsibilities for key IT security\n                                    roles; and (4) provide clearer delineation of which EPA organizations should be\n                                    responsible for delivering specific elements of information security role-based\nFor further information,            training. EPA agreed with the recommendations and is taking corrective action.\ncontact our public affairs office\nat (202) 566-2391.                   Noteworthy Achievements\nThe full report is at:              The EPA conducts an annual Security and Operations conference. The EPA also\nwww.epa.gov/oig/reports/2014/\n                                    implemented an annual specialized training requirement for employees with\n20140321-14-P-0142.pdf\n                                    significant information security responsibilities.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                   THE INSPECTOR GENERAL\n\n\n\n                                             March 21, 2014\n\nMEMORANDUM\n\nSUBJECT:       EPA\xe2\x80\x99s Information Systems and Data Are at Risk Due to Insufficient Training of\n               Personnel With Significant Information Security Responsibilities\n               Report No. 14-P-0142\n\nFROM:          Arthur A. Elkins Jr.\n\nTO:            Renee P. Wynn, Acting Assistant Administrator and Chief Information Officer\n               Office of Environmental Information\n\nThe independent public accounting (IPA) firm KPMG LLP conducted this audit on behalf of the\nU.S. Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) Office of Inspector General (OIG). This is the IPA\xe2\x80\x99s\nreport on the subject audit conducted on behalf of the OIG. This report contains findings that describe\nthe problems the IPA identified and corrective actions the IPA recommends. The Senior Agency\nInformation Security Officer is the primary official responsible for the agency program that KPMG\nreviewed during this audit. This report represents the opinion of the IPA and does not necessarily\nrepresent the final EPA position. The agency concurred with all the report\xe2\x80\x99s recommendations and\nprovided high-level planned corrective actions with milestone dates, which KPMG found acceptable.\n\nAction Required\n\nBased upon your response to the draft report, we will close this report in our audit tracking system upon\nissuance. We believe the proposed actions, when implemented, will adequately address the report\xe2\x80\x99s\nfindings and recommendations. Please provide updated information in the EPA\xe2\x80\x99s Management Audit\nTracking System as you complete each planned corrective action or revise any corrective actions and/or\nmilestone dates. If you are unable to meet your planned milestones, or believe other corrective actions\nare warranted, please send us a memorandum stating why you are revising the milestones or why you\nare proposing alternative corrective actions, as required by EPA Manual 2750.\n\nIf you or your staff have any questions regarding this report, please contact Richard Eyermann,\nacting Assistant Inspector General for Audit, at (202) 566-0565 or eyermann.richard@epa.gov;\nor Rudolph M. Brevard, Director, Information Resources Management Audits, at (202) 566-0893 or\nbrevard.rudy@epa.gov.\n\x0cMarch 4, 2014\n\nRe: Assessment of EPA Personnel with Significant Information Security Responsibilities\n\nThru: \t Arthur A. Elkins, Jr.\n        Inspector General\n\nTo: \t   Renee P. Wynn, Acting Assistant Administrator for\n        Environmental Information and Chief Information Officer\n\nThank you for providing KPMG LLP (KPMG) with the opportunity to assist the Environmental\nProtection Agency Office of Inspector General in performing an assessment of EPA personnel\nwith significant information security responsibilities.\n\nIn summary, we found opportunities for improvement in the development and implementation of\nEPA\xe2\x80\x99s role-based information security awareness program across the regional and program\noffices supporting the EPA\xe2\x80\x99s mission. Although Federal personnel generally demonstrated a high\nlevel of awareness of responsibilities associated with their assigned information security roles,\nEPA could take additional steps to formalize the management of roles and responsibilities across\nits workforce and align training requirements to those roles.\n\nPlease provide your written comments to the EPA OIG points of contact.\n\nSincerely,\n\n\n\n\nTony Hubbard, Principal\n\x0cEPA\xe2\x80\x99s Information Systems and Data Are at Risk                                                                              14-P-0142\nDue to Insufficient Training of Personnel With\nSignificant Information Security Responsibilities\n\n\n\n                                     Table of Contents \n\n\nChapters\n   1 Introduction.............................................................................................................        1\n\n\n             Purpose .............................................................................................................    1     \n\n             Background .......................................................................................................       1     \n\n             Responsible Office ............................................................................................          1     \n\n             Noteworthy Achievements.................................................................................                 2\n\n             Scope and Methodology....................................................................................                2\n\n\n   2 Information Security Role-Based Training Efforts Can Be Better Defined .......                                                   3\n\n\n             Definition of Roles and Responsibilities Is Incomplete or Inconsistent .............                                     3\n\n             Role-Based Training Is Not Specific to Assigned Information Security Roles ...                                           4\n\n             Available Skillport Training Does Not Align With EPA Professionals\xe2\x80\x99 Needs ....                                           5\n\n             Recommendations ............................................................................................             7     \n\n             Agency Comments and KPMG Evaluation........................................................                              8\n\n\n   3 Information Security Governance Supporting Training Efforts \n\n     Can Be Improved ...................................................................................................              9\n\n\n             Assignment of Information Security Roles Is Inconsistent ................................                                9\n\n             Organization Structure for Information Security Roles Is Inconsistent ..............                                     9\n\n             Recommendations ............................................................................................            12     \n\n             Agency Comments and KPMG Evaluation........................................................                             12 \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                           13\n\n\n\n\nAppendices\n   A       Survey Questions...............................................................................................           14 \n\n\n   B       Agency Response to Draft Report....................................................................                       17 \n\n\n   C       Revised Agency Corrective Action Plan to Report Recommendations........                                                   20 \n\n\n   D       Distribution .........................................................................................................    22 \n\n\x0c                                     Chapter 1\n\n                                      Introduction\n\nPurpose\n\nThe objective of this review was to evaluate the qualifications and current skills of U.S.\nEnvironmental Protection Agency (EPA) personnel with significant information security\nresponsibilities, determine their training needs, and determine whether the EPA\xe2\x80\x99s information\nsecurity workforce possesses the knowledge, competencies and skills necessary to meet agency\ngoals as mandated by the E-Government Act of 2002.\n\nBackground\nOn December 17, 2002, the President signed into law the E-Government Act of 2002, providing\na comprehensive framework for information security standards and programs. Title III of the\nE-Government Act is the Federal Information Security Management Act (FISMA), which\nrequires federal Chief Information Officers (CIOs) to assess and report on the status of their\nagency\xe2\x80\x99s information security program. FISMA focuses on information security program\nmanagement, implementation and evaluation aspects of the security of federal information\nsystems. FISMA also codifies existing guidance from the Office of Management and Budget and\nNational Institute of Standards and Technology (NIST), as well as regulations from the\nClinger-Cohen Act of 1996. FISMA requires that information security personnel possess\nprofessional qualifications, including training and experience, required to administer the\nfunctions described in the act. In addition, FISMA requires federal agencies to adequately train\nall personnel with significant information security responsibilities. According to FISMA, an\nagency must ensure that it has trained personnel sufficient to assist the agency in complying with\nthe requirements of the act.\n\nResponsible Office\nEPA\xe2\x80\x99s Chief Information Officer (CIO), within the Office of Environmental Information, is\nresponsible for developing and maintaining an information security program as required by the\nE-Government Act of 2002, Title III Information Security, also known as the Federal\nInformation Security Management Act. Within the CIO office, EPA\xe2\x80\x99s Senior Agency\nInformation Security Officer (SAISO) is responsible for developing and maintaining role based\ntraining, education and credentialing requirements to ensure personnel with significant\ninformation security responsibilities receive adequate training with respect to personnel\xe2\x80\x99s\nresponsibilities.\n\n\n\n\n14-P-0142                                                                                        1\n\x0cNoteworthy Achievements\nWe generally noted that the EPA information security personnel we interacted with through the\nsurvey and interviews did appear to possess the qualifications, skills and experience necessary to\nexecute their assigned security-related responsibilities. We also noted that the EPA has some\nprocesses in place to promote information security training and knowledge, such as offering an\nannual Information Security Officer (ISO) conference through classroom and webcast-based form,\nconducting monthly ISO coordination meetings, and implementing an annual specialized training\nrequirement for employees with significant information security responsibilities under the\ndirection of the SAISO.\n\nScope and Methodology\nWe initially conducted a Web-based survey to gather anonymous input on improving the EPA\xe2\x80\x99s \n\ninformation security program (356 EPA federal employees completed the survey). We applied \n\nthe survey results to gather data related to the responders\xe2\x80\x99 office/region, extent of security \n\ntraining, years of relevant experience, relevant professional certifications, operational \n\nresponsibilities, and familiarity with the EPA\xe2\x80\x99s information security policies and practices. We\n\nhave provided the survey questions as Appendix A to this report. \n\n\nWe also interviewed 87 EPA employees with significant information security responsibilities \n\nlocated at the following offices: \n\n\n\xef\x82\xb7   Headquarters program offices. \n\n\xef\x82\xb7   Research Triangle Park (North Carolina).\n\n\xef\x82\xb7   Region 5 (Chicago, Illinois). \n\n\xef\x82\xb7   Region 8 (Denver, Colorado). \n\n\nThe results of our survey and interviews are not statistically valid, and therefore we cannot \n\nproject the results to the EPA organization as a whole. \n\n\nWe also reviewed EPA policies and procedures relevant to this review. \n\n\nWe initiated the review in March 2012, conducted the survey from October to December 2012, \n\nand completed the review procedures in August 2013. Evaluation fieldwork was conducted in \n\naccordance with generally accepted government auditing standards. \n\n\n\n\n\n14-P-0142                                                                                         2\n\x0c                                     Chapter 2\n\n     Information Security Role-Based Training Efforts \n\n                  Can Be Better Defined \n\nThe EPA\xe2\x80\x99s information security training and awareness programs are based upon inconsistent\nassignment and definition of related roles and responsibilities across the various regional and\nprogram offices. Existing training materials do not adequately consider specific needs of\ntechnical and managerial personnel with assigned and collateral responsibilities for information\nsecurity as required by the EPA, NIST, and Office of Personnel Management (OPM)\nrequirements. Management has not completed efforts to tailor existing training programs to align\nwith the EPA\xe2\x80\x99s organizational structure. As a result, training may be insufficient to assure\nmanagement that information security personnel have the skills and understanding necessary to\nidentify and prevent or mitigate the threat of vulnerabilities affecting the EPA\xe2\x80\x99s information\nsystems and infrastructure and underlying financial or mission-critical business data.\n\nDefinition of Roles and Responsibilities Is Incomplete or Inconsistent\nThere are no specific information security training requirements or curriculum defined for\npersonnel with significant information security roles, such as an ISO. In the memorandum,\n\xe2\x80\x9cTraining for EPA Employees with Significant Information Security Responsibilities,\xe2\x80\x9d addressed\nto ISOs (initially issued on June 23, 2003, and reissued each subsequent fiscal year), the SAISO\nlisted 17 information security roles as a basis for identifying individuals in the ISOs\xe2\x80\x99\norganizations subject to role-based training requirements. The 17 defined roles are generally\ncomparable to roles defined in NIST guidance, but the responsibilities of the roles can vary\ngreatly. For instance, many EPA information security professionals are called ISOs, but the\nindividuals assigned the role of ISO can have widely varying duties and levels of responsibilities.\nThey may be a Primary ISO for an office or region, a local ISO at a field location, an ISO for a\nsingle system, or a security professional at a data center who supports network or systems\ninfrastructure.\n\nFurther, there are inconsistencies in the naming and definition of information security roles\namong various EPA policies and organizations. For example, EPA CIO Policy 2150.3, EPA\nInformation Security Policy, defines the following information security roles: CIO, SAISO,\nSenior Information Officer (SIO), Authorizing Official\xe2\x80\x99s Designated Representative, System\nOwner, Information System Security Officer (ISSO), and Common Controls Provider. However,\nCIO Procedure 2150.3-P-02.1, Information Security \xe2\x80\x93 Interim Awareness and Training\nProcedures v.3.1, lists roles and responsibilities for the CIO, System Owners, Information\nOwners, Information Technology (IT) Security Program Managers, managers and supervisors,\nEPA Administrator, and general-end users. Although there are references to other roles, the\nprocedure does not define roles and responsibilities with respect to the EPA\xe2\x80\x99s information\nsecurity training and awareness program for other defined positions within the agency, including\nthe SAISO, SIOs, Primary ISOs, and ISSOs.\n\n\n\n\n14-P-0142                                                                                        3\n\x0cRole-Based Training Is Not Specific to Assigned Information Security\nRoles\nOf the 356 survey respondents, 51 (14 percent) indicated they did not receive specialized role-\nbased information security training in the prior year. Specific training is needed for many\ninformation security roles, such as: 1) NIST defined information security roles, such as those\nsupporting system certification and accreditation and continuous monitoring efforts;\n2) technology or tool training, in particular for network and system administrators, system\ndevelopers, firewall administrators, Network Operations Center staff, and incident response\nprofessionals; 3) role-specific training, such as training for an ISSO, guiding the activities those\nprofessionals need to perform for that role; and 4) training specific to relevant professional\ncertifications, such as the Certified Information Systems Security Professional. The need for this\nrole-based training is summarized in figure 1, which is data collected directly from our survey,\nsorted by program office or regional office, which illustrates the percentages of EPA personnel\nwith significant information security responsibilities who do not feel they have sufficient role-\nbased training to perform their duties.\n\nFigure 1: Percentage of EPA personnel who believe they do not have sufficient IT security role-based\ntraining (by program office and regional location) 1\n  40\n\n    35\n\n    30\n\n    25\n\n    20\n\n    15\n\n    10\n\n    5\n\n    0\n            Total\n           OECA\n\n\n\n\n             OW\n             OAR\n\n\n\n\n             OIG\n\n\n\n         OSWER\n              OEI\n           OCFO\n              OA\n\n\n\n          OCSPP\n\n\n\n\n            OITA\n          OARM\n\n\n\n\n            OGC\n\n\n\n            ORD\n\n\n\n              R\xe2\x80\x901\n              R\xe2\x80\x902\n              R\xe2\x80\x903\n              R\xe2\x80\x904\n              R\xe2\x80\x905\n              R\xe2\x80\x906\n              R\xe2\x80\x907\n              R\xe2\x80\x908\n              R\xe2\x80\x909\n            R\xe2\x80\x9010\n\n\n\n\nSource: Independent public accounting firm\xe2\x80\x99s (IPA\xe2\x80\x99s) survey results.\n\n\n\n\n1\n  Zero percent of Office of General Counsel, Office of Inspector General and Region 5 survey respondents indicated\nthat they did not believe they have sufficient IT security role-based training.\n\n\n\n14-P-0142                                                                                                            4\n\x0cAvailable Skillport Training Does Not Align With EPA Professionals\xe2\x80\x99\nNeeds\nSkillport is the EPA\xe2\x80\x99s online training tool, and one of the primary tools for offering information\nsecurity training to EPA professionals. We noted that Skillport provides essentially the same set\nof courses for all information security personnel regardless of role. Although the EPA refers to\nSkillport as a \xe2\x80\x9crole-based\xe2\x80\x9d training tool, there is limited distinction made in the training\nrequirements between executive and technical personnel. Based on inputs from EPA personnel\nfeedback from the interviews and survey responses, the Skillport training appears to be too\ntechnical for executive level personnel and too general for technical personnel. The results for\nthis issue are summarized in figure 2, which is data from our interviews, and illustrates that only\n27 percent of the interview participants felt that Skillport offered adequate role-based training.\nNotably, 42 percent of interviewees felt that security training needed more EPA and role focus.\nThey noted that available training within Skillport lacked content specific to the EPA, the federal\nenvironment, and/or the respondents\xe2\x80\x99 assigned information security role(s).\n\n               Figure 2: Percentage of EPA personnel that receive value from Skillport\n\n\n\n\n                                                         Adequate\n                               Not\xc2\xa0Adequate\n                                                           (27%)\n                                      (20%)\n\n\n                                                           Barely Adequate\n                                                                   (11%)\n\n\n                                      Needs More Focus\n                                           on EPA/Role\n                                                (42%)\n\n\n\n\n               Source: IPA\xe2\x80\x99s interviews\xe2\x80\x99 results.\n\nIn addition, our survey responses noted that 62 (17 percent) of 356 respondents, many of whom\nwere assigned an information security role as a \xe2\x80\x9ccollateral duty,\xe2\x80\x9d indicated they did not have\nadequate experience and training to perform their information security role. Further, the EPA\ndoes not provide consistent information security basic training for executive-level personnel who\nare new to their security role, such as SIOs. Such executives need to have a sound understanding\nof the FISMA requirements, supporting NIST controls, and corresponding EPA information\n\n\n\n14-P-0142                                                                                         5\n\x0csecurity policies and procedures, as well as a basic understanding of information security risks\nand risk management, so they are prepared to make decisions impacting the EPA\xe2\x80\x99s information\nsecurity posture.\n\nThe issues we identified during this review are consistent with issues identified during a\nGovernment Accountability Office (GAO) report issued in July 2012.2 In this report, GAO\nrecommended that the EPA develop and finalize a role-based security training program tailored\nto the specific training requirements of EPA users\xe2\x80\x99 role/position descriptions and to the actions\nISOs must take when users do not complete the training. The EPA agreed with the GAO\nrecommendation and responded that it would continue analyzing information security roles and\nresponsibilities for personnel with significant security responsibilities and develop and\nimplement a tailored role-based training program. However, at the time of our review we did not\nsee evidence that the EPA has implemented this tailored role-based training program.\nWe found that these issues exist because the EPA has not completed efforts to clearly align\nrelevant information security training to the specific security-related roles supporting operations\nwithin the EPA.\n\nIn addition to the E-Government Act, the EPA also needs to comply with the following\ninformation security guidelines and requirements:\n\n\xef\x82\xb7\t EPA CIO Policy 2150.3, EPA Information Security Policy, August 6, 2012, specifically EPA\n    Information Procedures CIO 2150.3-P-02.1, Information Security - Interim Awareness and\n    Training Procedures v3.1, July 18, 2012:\n\n       EPA shall determine the appropriate content of the security training based on assigned roles and\n       responsibilities and the specific requirements of the information systems to which personnel have\n       authorized access.\n\n       EPA shall provide adequate security-related technical training to the following individuals in order for\n       them to perform their assigned duties:\n           i.   Information system managers.\n          ii.   System and network administrators.\n         iii.   Personnel performing independent verification and validation activities.\n         iv.    Security control assessors.\n          v.    Other personnel having access to system-level software.\n\n       EPA shall provide the training necessary for these individuals to carry out their responsibilities related to\n       operations security within the context of the organization\xe2\x80\x99s information security program.\n\n\xef\x82\xb7\t NIST Special Publication (SP) 800-53 Revision 3 Recommended Security Controls for\n    Federal Information Systems and Organizations,\xe2\x80\x9d August 2009:\n\n       AT-1, Security Awareness and Training Policy and Procedures: The organization develops, documents,\n       and disseminates to [Assignment: organization-defined personnel or roles]:\n           1.\t A security awareness and training policy that addresses purpose, scope, roles, responsibilities,\n                management commitment, coordination among organizational entities, and compliance; and\n\n\n\n2\n  GAO-12-696 INFORMATION SECURITY- Environmental Protection Agency Needs to Resolve Weaknesses, July\n2012\n\n\n14-P-0142                                                                                                              6\n\x0c            2.\t Procedures to facilitate the implementation of the security awareness and training policy and\n                associated security awareness and training controls.\n\n       AT-3, Role-Based Security Training: The organization provides role-based security training to personnel\n       with assigned security roles and responsibilities:\n           1.\t Before authorizing access to the information system or performing assigned duties;\n           2.\t When required by information system changes; and\n           3.\t [Assignment: organization-defined frequency] thereafter.\n\n\xef\x82\xb7\t OPM Title 5, Code of Federal Regulations Part 930.301, Information Systems Security\n   Awareness Training Program:\n\n       Executives must receive training in information security basics and policy level training in security\n       planning and management.\n\n       Program and functional managers must receive training in information security basics; management and\n       implementation level training in security planning and system/application security management; and\n       management and implementation level training in system/application life cycle management, risk\n       management, and contingency planning.\n\n       CIOs, IT security program managers, auditors, and other security-oriented personnel (e.g., system and\n       network administrators, and system/application security officers) must receive training in information\n       security basics and broad training in security planning, system and application security management,\n       system/application life cycle management, risk management, and contingency planning.\n\n       IT function management and operations personnel must receive training in information security basics;\n       management and implementation level training in security planning and system/application security\n       management; and management and implementation level training in system/application life cycle\n       management, risk management, and contingency planning.\n\nIn addition to complying with government guidelines and requirements, the EPA needs to\nimprove in these areas to help ensure that agency personnel have adequate experience and\ntraining to perform their assigned information security roles.\n\nRecommendations\nKPMG recommends that the Assistant Administrator for Environmental Information:\n\n   1.\t Define key information security aspects and duties for each security role. This includes\n       identifying, where appropriate, broadly similar characteristics within each role to allow\n       for more precise alignment of roles to applicable training requirements. This also\n       includes ensuring that existing EPA policies, procedures, and guidance fully and\n       consistently define all information security roles and responsibilities currently\n       implemented across the organization.\n\n   2.\t Provide additional training options specific to the federal information security\n       environment and EPA information security roles, such as the processes and controls\n       outlined in NIST SP 800-53. Training should be specific to supporting EPA professionals\n       in executing and performing assigned information security roles and responsibilities in\n       accordance with EPA policies and procedures. For example, vendor training may be\n\n\n\n14-P-0142                                                                                                        7\n\x0c       warranted for hands-on information security roles, but general orientation training may be\n       suitable for executives.\n\nAgency Comments and KPMG Evaluation\nThe agency agreed with these recommendations and provided a response to the draft report which\nincluded corrective actions and milestone dates. We found the response to be acceptable.\nSubsequent to issuing the draft report, KPMG and the OIG met with the agency to discuss the\nreport\xe2\x80\x99s findings and recommendations. As a result of those discussions and the agency\xe2\x80\x99s response\nto the draft, we updated the report as appropriate.\n\nThe agency initially did not agree with draft report recommendation 3. The agency stated further\nclarification was requested for this recommendation. We subsequently met with agency\nrepresentatives to discuss the recommendation and updated recommendation 1 to include elements\nof recommendation 3 relative to the alignment of roles to information security training\nrequirements. The agency concurred with the updated recommendation and provided a high-level\ncorrective action plan with completion dates.\n\n\n\n\n14-P-0142                                                                                      8\n\x0c                                      Chapter 3\n\n        Information Security Governance Supporting \n\n              Training Efforts Can Be Improved \n\nImplementation of the EPA\xe2\x80\x99s information security training program is hampered by inconsistent\nassignment of information security roles across the various regional and program offices. These\noffices\xe2\x80\x99 organizational structures vary widely, resulting in differing governance models and,\nconsequently, differing levels of implementation and oversight of training requirements for the\nEPA personnel performing technical and managerial functions related to information security.\nThese inconsistencies result in inadequate implementation of the EPA, NIST, and OPM\nrequirements related to the provisioning of focused, role-based training for individuals at all\nlevels throughout the EPA\xe2\x80\x99s hierarchy. This organizational structure can further expose the\norganization and its systems and underlying sensitive data to the risk of unauthorized access,\nmisuse or disclosure.\n\nAssignment of Information Security Roles Is Inconsistent\nThe process for assigning information security roles varies across the EPA offices. For instance,\nsome information security duties are formally defined within position descriptions, while others\nhave information security responsibilities as a collateral duty. Assignment of information\nsecurity roles to individuals does not necessarily consider whether the individual has sufficient\nprevious relevant experience to ensure the adequacy of security controls for the information\nsystem(s) for which they are responsible. We learned that the EPA assigns information security\nroles to individuals in an informal manner and does not link the roles to established position\ndescriptions or to the agency\xe2\x80\x99s Performance Appraisal and Recognition System. Specifically,\nposition descriptions and corresponding Performance Appraisal and Recognition System\nelements are typically limited to baseline descriptions defined by OPM and are not further\ntailored to reflect additional \xe2\x80\x9ccollateral\xe2\x80\x9d responsibilities, nor are revised as responsibilities are\nassigned subsequent to the individual being placed in the position initially. Further, the EPA does\nnot consistently define the various agency information security roles. For instance, it is unclear\nwhether individuals are required to have certain credentials (e.g., professional certifications,\nin-house training) or experience with specific technologies, platforms, or utilities necessary to\nimplement or monitor technical controls on the EPA\xe2\x80\x99s networks and systems.\n\nOrganization Structure for Information Security Roles Is Inconsistent\nThere are different information security governance and organizational models across the EPA.\nFor instance, in some regional and program offices, the SIO has direct oversight of IT operations\nwithin the organization, while in others a separate Program Manager is designated with this\noversight of IT operations. In some cases an Information Management Officer (IMO) has just an\noversight role, while in others the IMO is also the Branch Chief and supervisor for operations\npersonnel. Additionally, a Primary ISO for an office or region may receive guidance from the\nSenior Agency ISO, SIO and possibly the IMO. In turn, the Primary ISO may give guidance to\nSystem Owners, ISSOs, local ISOs and alternates. A System Owner may have to respond to the\n\n\n14-P-0142                                                                                          9\n\x0cPrimary ISO, Program Manager, ISO and IMO. Consequently, the EPA has not consistently\nestablished lines of authority and the expected interaction between various information security\nroles. This inconsistency greatly complicates the tasks of defining necessary skills and\nidentifying which organizational level should have the responsibility for providing the\nappropriate type of role-based training.\n\nWe found that these issues exist because the EPA has a decentralized information security\nmanagement structure, with responsibilities shared among many organizational components,\nincluding headquarters, regional offices, and the National Computer Center in Research Triangle\nPark. Although there is one SAISO with EPA-wide responsibilities, including coordination with\nthe Office of Environmental Information\xe2\x80\x99s (OEI\xe2\x80\x99s) Mission Investment Solutions Division for\nthe development and implementation of EPA\xe2\x80\x99s agencywide information security training\nprogram, there are also 23 Primary ISOs with similar roles in each office and region. Further, the\nEPA has not made readily apparent the extent of responsibility and cooperation needed among\nthese organizations for ensuring that information security personnel in all roles have the\nnecessary skills and training. Finally, some information security roles are collateral duties held\nby personnel whose position and primary work responsibilities may entail unrelated functions.\nConsequently, the individual assigned these types of collateral information security roles may\nhave little or no experience. Such roles include SIO, IMO, Program Manager, System Owner,\nand Contracting Officer Representative. OEI security management should take on a more\nprominent role in ensuring that EPA information security personnel complete necessary training,\nas in some cases the ISOs do not have the authority to ensure personnel comply with the training\nrequirements.\n\nIn addition to the E-Government Act, the EPA also needs to comply with the following\ninformation security guidelines and requirements:\n\n\xef\x82\xb7   EPA CIO Policy 2150.3, EPA Information Security Policy, August 6, 2012, specifically\n    P-02.,1 Information Security \xe2\x80\x93 Interim Awareness and Training Procedures, v3.1, July 18,\n    2012:\n\n       EPA shall determine the appropriate content of the security training based on assigned roles and\n       responsibilities and the specific requirements of the information systems to which personnel have\n       authorized access.\n\n       EPA shall provide adequate security-related technical training to the following individuals in order for\n       them to perform their assigned duties:\n           i.   Information system managers.\n          ii.   System and network administrators.\n         iii.   Personnel performing independent verification and validation activities.\n         iv.    Security control assessors.\n          v.    Other personnel having access to system-level software.\n\n       EPA shall provide the training necessary for these individuals to carry out their responsibilities related to\n       operations security within the context of the organization\xe2\x80\x99s information security program.\n\n\n\n\n14-P-0142                                                                                                          10\n\x0c\xef\x82\xb7\t EPA CIO Policy 05-001, Senior Information Officials, July 7, 2005:\n\n       Due to increasing legal requirements and good management practices, information and information\n       technology management responsibilities and functions are becoming more important for accomplishing the\n       Agency\xe2\x80\x99s mission, and the scope and complexity of those responsibilities and functions continue to expand.\n       To ensure these increasingly more important responsibilities and functions are performed effectively\n       throughout EPA, the Agency\xe2\x80\x99s organizations must have appropriate accountability for this critical area.\n       A designated Senior Information Official in each Program and Regional Office will ensure EPA\xe2\x80\x99s\n       information and information technology are effectively managed both corporately across the Agency and\n       within each organization to achieve EPA\xe2\x80\x99s business needs, mission, and strategic goals, and will help the\n       Agency achieve a cohesive, comprehensive approach to its information and information technology\n       infrastructure, architecture, security, web policies, and public access.\n\n\xef\x82\xb7\t NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n   Systems and Organizations, August 2009:\n       AT-1, Security Awareness and Training Policy and Procedures: The organization develops, documents,\n       and disseminates to [Assignment: organization-defined personnel or roles]:\n           3.\t A security awareness and training policy that addresses purpose, scope, roles, responsibilities,\n                management commitment, coordination among organizational entities, and compliance; and\n           4.\t Procedures to facilitate the implementation of the security awareness and training policy and\n                associated security awareness and training controls.\n\n       AT-3, Role-Based Security Training: The organization provides role-based security training to personnel\n       with assigned security roles and responsibilities:\n           4.\t Before authorizing access to the information system or performing assigned duties;\n           5.\t When required by information system changes; and\n           6.\t [Assignment: organization-defined frequency] thereafter.\n\n\xef\x82\xb7\t OPM 5 CFR Part 930.301, Information Systems Security Awareness Training Program:\n\n       Executives must receive training in information security basics and policy level training in security\n       planning and management.\n\n       Program and functional managers must receive training in information security basics; management and\n       implementation level training in security planning and system/application security management; and\n       management and implementation level training in system/application life cycle management, risk\n       management, and contingency planning.\n\n       CIOs, IT security program managers, auditors, and other security-oriented personnel (e.g., system and\n       network administrators, and system/application security officers) must receive training in information\n       security basics and broad training in security planning, system and application security management,\n       system/application life cycle management, risk management, and contingency planning.\n\n       IT function management and operations personnel must receive training in information security basics;\n       management and implementation level training in security planning and system/application security\n       management; and management and implementation level training in system/application life cycle\n       management, risk management, and contingency planning.\n\nIn addition to complying with government guidelines and requirements, the EPA needs to\nimprove these areas because the lack of a centralized governance structure leads to\ninconsistencies in the operation of the information security training program.\n\n\n\n14-P-0142                                                                                                         11\n\x0cRecommendations\nKPMG recommends that the Assistant Administrator for Environmental Information:\n\n   3.\t Standardize the terminology and definition of responsibilities for key IT security \n\n       management and oversight roles across all EPA organizations and within the EPA \n\n       information security policy. \n\n\n   4.\t Provide a more clear delineation of which EPA organizations should be responsible for\n       delivering specific elements of information security role training, and how collectively and\n       cooperatively the training needs of each significant role (including technical and executive-\n       level roles) are to be met.\n\nAgency Comments and KPMG Evaluation\n\nThe agency agreed with these recommendations and provided us with a response to the draft\nreport which included corrective actions with milestone dates. We found the response to be\nacceptable and updated the report as appropriate.\n\n\n\n\n14-P-0142                                                                                       12\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                                POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                              BENEFITS (in $000s)\n\n                                                                                                                    Planned\n    Rec.    Page                                                                                                   Completion   Claimed    Agreed-To\n    No.      No.                          Subject                          Status1        Action Official             Date      Amount      Amount\n\n     1        7     Define key information security aspects and duties       O       Assistant Administrator for   12/31/2016\n                    for each security role. This includes identifying,               Environmental Information\n                    where appropriate, broadly similar characteristics\n                    within each role to allow for more precise alignment\n                    of roles to applicable training requirements. This\n                    also includes ensuring that existing EPA policies,\n                    procedures, and guidance fully and consistently\n                    define all information security roles and\n                    responsibilities currently implemented across the\n                    organization.\n\n     2        7     Provide additional training options specific to the      O       Assistant Administrator for   12/31/2016\n                    federal information security environment and EPA                 Environmental Information\n                    information security roles, such as the processes\n                    and controls outlined in NIST SP 800-53. Training\n                    should be specific to supporting EPA professionals\n                    in executing and performing assigned information\n                    security roles and responsibilities in accordance\n                    with EPA policies and procedures. For example,\n                    vendor training may be warranted for hands-on\n                    information security roles, but general orientation\n                    training may be suitable for executives.\n\n     3       12     Standardize the terminology and definition of            O       Assistant Administrator for   09/30/2015\n                    responsibilities for key IT security management and              Environmental Information\n                    oversight roles across all EPA organizations and\n                    within the EPA information security policy.\n\n     4       12     Provide a more clear delineation of which EPA            O       Assistant Administrator for   12/31/2015\n                    organizations should be responsible for delivering               Environmental Information\n                    specific elements of information security role\n                    training, and how collectively and cooperatively the\n                    training needs of each significant role (including\n                    technical and executive-level roles) are to be met.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n14-P-0142                                                                                                                                         13\n\x0c                                                                                     Appendix A\n\n                                  Survey Questions\nNote that the survey was Web based and each question had multiple responses available for the\nrespondent to select. At the end of the survey, we also included several optional questions for the\nrespondent to consider.\n\n1. In which EPA office are you currently performing IT security duties?\n\n2. Select one or more of the following roles that most closely describe your IT security-related\nfunction(s) within the Agency.\n\n3. For each of the roles you selected in the previous question, please specify the approximate\npercentage of time you spend performing functions associated with that role. To account for any\nnon-IT security-related roles that you may hold additionally, ensure that the total, including\npercentage of time spent on \xe2\x80\x9cnon-IT security related roles\xe2\x80\x9d equals 100.\n\n4. Were you required to participate in specialized training prior to assuming your EPA IT\nsecurity responsibilities?\n\n5. How frequently do you attend or participate in specialized training (including "refresher"\ntraining) associated with one or more IT security functions for which you have management or\noperational responsibility over?\n\n6. Is your participation in specialized training mandated by your supervisor or other EPA\nmanagement?\n\n7. How many years of IT security-related experience did you possess prior to assuming\nresponsibility for that function at EPA?\n\n8. Which of the following IT security functional areas do you have management or operational\nresponsibility over (check as many as apply) (example responses included Data Security, Digital\nForensics, IT Security Training, etc.).\n\n9. For each of the functional areas you selected in the previous question, please specify the\napproximate percentage of time you spend performing that function as a component of your\noverall IT security responsibilities at EPA. The total of all values should equal 100 percent of\ntime spent on IT security responsibilities. Please enter whole numbers, no percentage signs.\n\n10. Rate your level of experience and knowledge in your role that is associated with each of the\nfollowing functional areas of IT security using a scale of 1 to 5 as defined below.\n\n11. What IT security-related certifications do you hold?\n\n12. Please select all levels of post-high school education attained.\n\n\n14-P-0142                                                                                          14\n\x0c13. Please select the degree(s) program, major, or area of study completed. You may select more\n\nthan 1 degree if applicable. \n\n\n14. Within the last three years, for which of the following IT security functional areas have you \n\nreceived specialized or targeted job related training? Place your cursor over the answer choices \n\nto see a short description. Example responses include Data Security, Telecommunications \n\nSecurity, Personnel Security, etc. \n\n\n15. For Data Security, please select the terms and concepts associated with specialized or \n\ntargeted job related training that you have received within the past three years. Example \n\nresponses include Access Controls, Antivirus Software, Authentication, etc.\n\n\n16. Do you believe you have the training and prior experience needed to effectively and \n\nefficiently perform your assigned IT security related responsibilities?\n\n\n17. For which specific areas or functions do you feel additional training and/or experience would \n\nbetter enable you to effectively and efficiently perform your assigned IT security related \n\nresponsibilities?\n\n\n18. How familiar are you with federal and/or EPA policies or requirements pertaining to \n\nspecialized training for IT security roles and responsibilities?\n\n\n19. What factors (if any) hinder you in performing your IT security duties (e.g., undue influence \n\nfrom your supervisor or senior personnel, lack of authority to provide direction, lack of training, \n\netc.)? \n\n\n20. In your opinion, how can EPA strengthen its IT security program?\n\n\n21. Would you like someone from KPMG to contact you to confidentially discuss your survey \n\nresponses in greater detail? \n\n\n22. Optional Question -Answer this question at your discretion. \n\nWithin the last three years, have you attended any specialized or targeted job related training \n\ncourses that were particularly or significantly beneficial in improving your capabilities to support \n\nEPA\'s IT security program?\n\n\n23. Optional Question -Answer this question at your discretion. \n\nPlease be as specific as possible in identifying the course title, source, subject matter and \n\ncorresponding capabilities improved by your attendance. \n\n\n24. Optional Question -Answer this question at your discretion. \n\nWithin the last three years, were there any job related training courses that did NOT improve \n\nyour capabilities?\n\n\n\n\n\n14-P-0142                                                                                         15\n\x0c25. Optional Question -Answer this question at your discretion. \n\nPlease be as specific as possible in identifying the course title, subject matter and intended \n\ncapabilities that were not addressed by the course. \n\n\n26. Optional Question -Answer this question at your discretion. \n\nPlease provide any additional general comments or feedback concerning EPA\'s IT security\n\nprogram, training and development requirements and resources, or other relevant topic areas. \n\n\n\n\n\n14-P-0142                                                                                     16\n\x0c                                                                                   Appendix B\n\n                  Agency Response to Draft Report\nMEMORANDUM\n\nSUBJECT: \t Response to Office of Inspector General Draft Report No. OMS-FY12-0006 \xe2\x80\x9cEPA\n           Should Enhance Existing Training Program for Personnel with Significant\n           Information Security Responsibilities,\xe2\x80\x9d dated January 16, 2014\n\nFROM: \t       Rene\xc3\xa9 P. Wynn /s/\n              Acting Assistant Administrator and Acting Chief Information Officer\n\nTO:\t          Arthur A. Elkins, Jr.\n              Inspector General\n\nThank you for the opportunity to respond to the issues and recommendations in the subject audit\nreport. Following is a summary of the agency\xe2\x80\x99s overall position, along with its position on each\nof the report recommendations. For those report recommendations with which the agency agrees,\nwe have provided high-level intended corrective actions and estimated completion dates. For the\nrecommendation with which the OEI does not agree, we have explained our position, and\nproposed alternatives to recommendations.\n\nAGENCY\xe2\x80\x99S OVERALL POSITION\nOf the five recommendations in the draft audit report, OEI agrees with 1, 2, 4 and 5 and\ndescribes high-level intended corrective actions in the attached table.\n\nSUMMARY OF DISAGREEMENTS\nWith respect to recommendation 3, OEI disagrees because further clarification is requested for\nthis recommendation.\n\nIf you have any questions regarding this response, please contact Robert McKinney, subject\naudit primary contact, Senior Agency Information Security Officer (SAISO), at (202) 564-0921,\nmckinney.robert@epa.gov or Scott Dockum, OEI Audit Follow-Up Manager, Office of Program\nManagement, Policy, Outreach and Communications Staff at (202) 566-1914,\ndockum.scott@epa.gov.\n\nAttachment\n\n\n\n\n14-P-0142                                                                                        17\n\x0cAGENCY\xe2\x80\x99S RESPONSE TO REPORT RECOMMENDATIONS\n\nAgreements\n    No.               Recommendation                       High-Level Intended    Estimated Completion\n                                                           Corrective Action(s)    by Quarter and FY\n\n1           Define key information security            OEI will continue to       Quarter 4, FY15\n            aspects and duties for each security       refine identified roles\n            role to allow for more defined training    and their respective\n            and ensure that existing EPA policies,     responsibilities in the\n            procedures, and guidance fully and         agency Roles and\n            consistently define all information        Responsibilities\n            security roles and responsibilities        procedure (CIO-215-.3\xc2\xad\n            currently implemented across the           P-19.1), the reference\n            organization.                              document for\n                                                       information security\n                                                       roles and\n                                                       responsibilities.\n                                                       \xc2\xa0\n                                                       OEI will ensure role\n                                                       names are consistently\n                                                       used throughout OEI\n                                                       developed policies,\n                                                       procedures and\n                                                       guidelines.\n2           Provide additional training options        OEI will review training   Quarter 1, FY16\n            specific to the federal information        options and inform\n            security environment and EPA               agency personnel of\n            information security roles, such as the    appropriate training\n            processes and controls outlined in         options for each\n            NIST SP 800-53. Training should be         identified role(s).\n            specific to supporting EPA\n            professionals in executing and\n            performing assigned information\n            security roles and responsibilities in\n            accordance with EPA policies, and\n            procedures. For example, vendor\n            training may be warranted for hands on\n            information security roles, but general\n            orientation training may be suitable for\n            executives.\n\n\n\n\n14-P-0142                                                                                            18\n\x0c    No.               Recommendation                     High-Level Intended        Estimated Completion\n                                                         Corrective Action(s)        by Quarter and FY\n\n4           Standardize the terminology and             OEI will continue to        Quarter 4, FY15\n            definition of responsibilities for key IT   support the consistent\n            security management and oversight           use of terminology and\n            roles across all EPA organizations and      definitions for key IT\n            within the EPA information security         security roles. OEI will\n            policy.                                     continue to refine and\n                                                        update the roles and\n                                                        responsibilities\n                                                        procedure, CIO-215-.3\xc2\xad\n                                                        P-19.1, as necessary.\n5           Provide a more clear delineation of         OEI is developing a role    Quarter 1, FY15\n            which EPA organizations should be           based training program\n            responsible for delivering specific         that addresses training\n            elements of information security role       requirements for both\n            training, and how collectively and          technical and non\xc2\xad\n            cooperatively the training needs of         technical roles that have\n            each significant role (including            significant information\n            technical and executive level roles) are    security\n            to be met.                                  responsibilities.\n\xc2\xa0\nDisagreements\n    No.               Recommendation                             Agency              Proposed Alternative\n                                                         Explanation/Response\n3           Complement the Skillport training           Further clarification is    N/A\n            process by establishing an appropriate      requested for this\n            number of information security roles        recommendation.\n            that identify broadly similar\n            characteristics and inherently\n            governmental roles, and link these\n            roles to applicable training\n            requirements.\n\n\n\n\n14-P-0142                                                                                               19\n\x0c                                                                                             Appendix C\n\n\n                Revised Agency Corrective Action Plan\n                     to Report Recommendations\n     No.\xc2\xa0             Recommendation                     High-Level Intended              Estimated\n       \xc2\xa0                        \xc2\xa0                        Corrective Action(s)\xc2\xa0         Completion by\n                                                                                       Quarter and FY\n1           Define key information security             In developing a role based   Quarter 1, FY16\n            aspects and duties for each security       training program, OEI will\n            role. This includes identifying, where     define\n            appropriate, broadly similar               the responsibilities for\n            characteristics within each role to        each role and closely align\n            allow for more precise alignment of        them to appropriate\n            roles to applicable training               training. OEI will\n            requirements. This also includes           continue to develop new\n            ensuring that existing EPA policies,       and update existing\n            procedures, and guidance fully and         policies, procedures, and\n            consistently define all information        guidance under OEI\'s\n            security roles and responsibilities        purview so that\n            currently implemented across the           information security roles\n            organization\xc2\xa0                              and responsibilities are\n                                                       defined consistently.\n2\xc2\xa0          Provide additional training options        OEI will review training      Quarter 1, FY16\n            specific to the federal information        options and inform agency\n            security environment and EPA               personnel of appropriate\n            information security roles, such as the    training options for each\n            processes and controls outlined in         identified role(s).\xc2\xa0\n            NIST SP 800-53. Training should be\n            specific to supporting EPA\n            professionals in executing and\n            performing assigned information\n            security roles and responsibilities in\n            accordance with EPA policies, and\n            procedures. For example, vendor\n            training may be warranted for hands on\n            information security roles, but general\n            orientation training may be suitable for\n            executives.\xc2\xa0\n\n\n\n\n14-P-0142                                                                                               20\n\x0c    No.\xc2\xa0              Recommendation                      High-Level Intended               Estimated\n      \xc2\xa0                          \xc2\xa0                        Corrective Action(s)\xc2\xa0          Completion by\n                                                                                         Quarter and FY\n3           Standardize the terminology and             OEI will continue to           Quarter 4, FY15\n            definition of responsibilities for key IT   support the consistent use\n            security management and oversight           of terminology and\n            roles across all EPA organizations and      definitions for key IT\n            within the EPA information security         security roles. OEI will\n            policy.\xc2\xa0                                    continue to refine and\n                                                        update the roles and\n                                                        responsibilities procedure,\n                                                        CIO-215-.3-P-19.1, as\n                                                        necessary.\n4           Provide a more clear delineation of         OEI is developing a role       Quarter 1, FY15\n            which EPA organizations should be           based training program\n            responsible for delivering specific         that addresses training\n            elements of information security role       requirements for both\n            training, and how collectively and          technical and non\xc2\xad\n            cooperatively the training needs of         technical roles that have\n            each significant role (including            significant information\n            technical and executive level roles) are    security responsibilities. \xc2\xa0\n            to be met.\xc2\xa0\n\n\n\n\n14-P-0142                                                                                                 21\n\x0c                                                                                Appendix D\n\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nSenior Agency Information Security Officer\nAudit Follow-Up Coordinator, Office of Environmental Information\n\n\n\n\n14-P-0142                                                                               22\n\x0c'